b"                                     SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 30, 2009                                                            Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Implementation of the Social Security Administration's Security Performance Metrics\n        Program (A-14-10-11002)\n\n\n        The attached final quick response evaluation presents the results of our review. Our\n        objective was to determine whether the Social Security Administration\xe2\x80\x99s plan for\n        developing and implementing a security performance metrics program met applicable\n        Federal requirements. Specifically, this evaluation focused on the concerns expressed\n        by the Information Security and Privacy Advisory Board and to ensure the Agency\n        complied with the National Institute of Standards and Technology Special Publication\n        800-55 Revision 1, Performance Measurement Guide for Information Security. This\n        evaluation provides a status of the Agency\xe2\x80\x99s efforts to implement a security\n        performance metrics program.\n\n        If you wish to discuss the final report, please call me or have your staff contact\n        Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0c    QUICK RESPONSE\n     EVALUATION\nImplementation of the Social Security\nAdministration's Security Performance\n          Metrics Program\n             A-14-10-11002\n\n\n\n\n            September 2009\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o n fid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a in s t fra u d , wa s te a n d a b u s e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le in fo rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f In s p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e p e n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a g e n c y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a g e n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re g a rd in g e xis tin g a n d p ro p o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a g e n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o p e ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p o we rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wh a t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e wh ile e n c o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                                                         Background\nOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA) plan\nfor developing and implementing a security performance metrics program met\napplicable Federal requirements. We performed this evaluation to address information\nsecurity concerns expressed by the Information Security and Privacy Advisory Board\n(ISPAB) 1,2 and to ensure the Agency complied with the National Institute of Standards\nand Technology (NIST) Special Publication (SP) 800-55 Revision 1, Performance\nMeasurement Guide for Information Security. 3 This evaluation provides a status of the\nAgency\xe2\x80\x99s efforts to implement a security performance metrics program.\n\nBACKGROUND\nInformation security performance metrics are used to facilitate decision making and\nimprove performance and accountability through the collection, analysis, and reporting\nof relevant performance-related data. The purpose of measuring performance is to\nreview the status of monitored activities and facilitate improvement in those activities by\napplying corrective actions based on observed measurements. Implementing a\nsecurity metrics program will\n\n    \xe2\x80\xa2   increase accountability for information security performance,\n    \xe2\x80\xa2   improve effectiveness of information security activities,\n    \xe2\x80\xa2   demonstrate compliance with laws, rules and regulations, and\n    \xe2\x80\xa2   provide quantifiable inputs for resource allocation decisions.\n\nPerformance metrics are used to weigh the benefits of adding security measures to\ninformation technology (IT) operations and measure the benefits of using these security\nmetrics against costs. The requirement to measure information security performance is\ndriven by regulatory, financial, and organizational reasons. A number of existing laws,\nrules, and regulations cite information performance measurements in general, and\ninformation security performance measurements in particular, as a requirement. These\nlaws include the:\n\n1\n ISPAB was originally created by the Computer Security Act of 1987 (Pub. L. No. 100-235) as the\nComputer System Security and Privacy Advisory Board. As a result of the Federal Information Security\nManagement Act (FISMA) (Pub. L. No. 107-347, Title III, Section 301 et seq.), the Board's name was\nchanged, and its mandate was amended.\n2\n  FISMA letter to the Honorable Jim Nussle, Director, Office of Management and Budget (OMB),\nJuly 2008. The letter offers ISPAB recommendations to OMB regarding the efficacy of security metrics in\nregard to FISMA.\n3\n NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security, issued\nJuly 2008.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                           1\n\x0c       \xe2\x80\xa2   Clinger-Cohen Act, 4\n       \xe2\x80\xa2   Government Performance and Results Act, 5\n       \xe2\x80\xa2   Government Paperwork Elimination Act, 6 and\n       \xe2\x80\xa2   FISMA. 7\n\nOn July 30, 2008, the Chairman of ISPAB sent a letter to OMB expressing concerns\nwith current information security performance metrics developed under FISMA. ISPAB 8\nquestioned whether the metrics OMB developed under FISMA improved an agency\xe2\x80\x99s\nunderstanding and performance of Government security. The letter stated that this\nprocess has become overly compliance-driven, with excessive attention to fulfilling\ncertification and accreditation and other reporting processes at the expense of\nimplementing, measuring, and improving true security performance. 9,10 As Congress\nconsiders new legislation, one of the fundamental questions is whether FISMA\xe2\x80\x99s current\nreporting requirements address the core question of whether agencies\xe2\x80\x99 security\nmeasures are functioning as intended. 11\n\nISPAB recognized three worthwhile metrics within the FISMA framework that include\ntraditional perimeter measures, such as intrusion detection, 12 penetration\n\n\n\n\n4\n    Pub. L. No. 104-106.\n5\n    Pub. L. No. 103-62.\n6\n    Pub. L. No. 105-277.\n7\n  Pub. L. No. 107-347. FISMA requires that Federal agencies develop, document, and implement an\nagency-wide information security program to provide security for the information and information systems\nthat support the agencies\xe2\x80\x99 operations and assets.\n8\n    See Footnote 2.\n9\n    See Footnote 2.\n10\n  NIST SP 37, Guide for the Security Certification and Accreditation of Federal Information Systems,\npp. 1-2, May 2004. Certification is the comprehensive assessment of the management, operational, and\ntechnical security controls in an information system. Accreditation is the official management decision to\nauthorize operation of an information system.\n11\n  Senator Tom Carper introduced U.S. Senate bill S.921-United States Information and Communications\nEnhancement Act of 2009 in April 2009 that would replace FISMA.\n12\n   NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems, section ES-1, February 2007.\nIntrusion detection is the process of monitoring the events occurring in a computer system or network and\nanalyzing these events for signs of possible incidents, which are violations or imminent threats of violation\nof computer security policies, acceptable use policies, or standard security practices.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                               2\n\x0ctesting, 13 and incident response. 14 However, when these measures are obtained, the\nresults are lost amidst the need to comply with the much larger set of FISMA-related\nprocedural requirements. 15\n\nISPAB made the following recommendations to improve the security performance\nmetrics program for Government agencies.\n\n       \xe2\x80\xa2   Revise FISMA and related policy and guidance so that agency and contract\n           incentives will be able to measure and improve actual security.\n\n       \xe2\x80\xa2   OMB and NIST should work with agency Chief Information Officers (CIO) to\n           review FISMA policy and guidance to measure and improve security in a way\n           that manages risk and improves program delivery and eliminates all\n           unnecessary provisions.\n\n       \xe2\x80\xa2   FISMA policy and guidance should encourage accountability for security\n           program performance, through rewards for progress and the maintenance of\n           strong outcomes and consequences for deterioration and continued weak\n           outcomes.\n\n       \xe2\x80\xa2   OMB should issue metrics required under a new FISMA program as early as\n           possible in the fiscal year for which reports are made, rather than late in the year\n           given the many competing demands of the IT calendar.\n\n       \xe2\x80\xa2   OMB should use its procurement policy authority to amend the Federal\n           Acquisition Regulation, so agency contract documents give industry incentives to\n           build and measure security based on the same outcome-oriented metrics that\n           are issued in OMB policy and NIST guidance and so that these documents do\n           not require unrelated security activities that add costs and burden to the\n           acquisition system with little or no return.\n\nIn July 2008, NIST SP 800-55 Revision 1 16 was issued to assist Government agencies\nin the development, selection, and implementation of measures that indicate the\neffectiveness of information security controls.\n\n\n13\n  NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, section 5-2,\nSeptember 2008. Penetration testing is security testing in which assessors mimic real-world attacks to\nidentify methods for circumventing the security features of an application, system, or network.\n14\n  Appendix III OMB Circular No. A-130, Security of Federal Automated Information Resources, p. 3.\nIncident response capability ensures that there is a capability to provide help to users when a security\nincident occurs in the system and to share information concerning common vulnerabilities and threats.\n\n15\n  Letter to the Honorable Jim Nussle, Director, OMB, July 2008. The letter offers ISPAB\nrecommendations to OMB regarding the efficacy of security metrics in regard to FISMA.\n16\n     NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security, p. 1.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                               3\n\x0cIn October 2008, we issued a memorandum to SSA advising it of ISPAB\xe2\x80\x99s concerns. In\nresponse to our memorandum, SSA indicated its intentions to comply with any Federal\nlegislation or directives related to incorporation of performance-based metrics. Given\nthat SSA had not implemented its plan for an information security performance metrics\nprogram at that time, we were unable to determine whether the Agency\xe2\x80\x99s plans met\napplicable Federal requirements. As a result, we performed this evaluation to provide a\nstatus of the Agency\xe2\x80\x99s efforts to develop a performance metrics program for its security\nprogram as well as offer suggestions for management\xe2\x80\x99s consideration.\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)           4\n\x0c                                                   Results of Review\nBased on our evaluation, SSA has been responsive to our October 2008 memorandum\nand has initiated steps to develop a security performance metrics program. The\nproposed program builds on the Agency\xe2\x80\x99s current reporting model, which is based on\nFISMA, and envisions including critical elements for a more comprehensive program.\n\nSSA\xe2\x80\x99s Current Information Security Performance Metric Reporting Efforts\n\nUnder FISMA, the Agency conducts numerous activities to safeguard information\nsystems and resources. SSA conducts rigorous testing of its information systems and\noversees a range of ongoing IT security activities. Some of the security activities\nconducted and performance metrics reported under the FISMA framework are as\nfollows.\n\n\xe2\x80\xa2   The Agency performs annual testing of its IT security controls as part of the annual\n    FISMA evaluation and financial statement audit. Identified weaknesses and\n    deficiencies are documented using an automated tracking tool. A Plan of Action and\n    Milestones (POA&M) is created to resolve each identified weakness. POA&Ms are\n    reported annually and quarterly to OMB.\n\xe2\x80\xa2   All SSA personnel receive IT security awareness training annually. The Office of the\n    CIO (OCIO) works with the Office of Acquisition and Grants to provide awareness\n    training to SSA contractor personnel. Additionally, SSA provides specialized training\n    to personnel with significant security responsibilities.\n\xe2\x80\xa2   SSA conducts extensive network and workstation scanning to identify and remove\n    harmful or inappropriate files that violate the Agency\xe2\x80\x99s IT security policies.\n\nIn addition to FISMA-related activities, SSA complied with other directives issued by\nOMB designed to strengthen Federal IT security programs. One example of a current\nOMB initiative is the Federal Desktop Core Configuration (FDCC). FDCC provides\nsecure common desktop configurations for Windows operating systems.\n\nSSA\xe2\x80\x99s Efforts to Develop a More Comprehensive Security Performance Metrics\nProgram\n\nIn October 2008, we issued a memorandum to SSA emphasizing the importance of\nimplementing a Security Performance Metrics program (see Appendix B). The\nmemorandum highlighted the Government information security community\xe2\x80\x99s focus on\ninformation security performance metrics\xe2\x80\x94specifically the concerns raised by ISPAB.\nThe ISPAB memorandum indicated that outcome-based metrics would make Agency\nsecurity performance more transparent and emphasized a concrete set of actions\nneeded to improve the underlying trustworthiness of IT systems. Furthermore, these\nmetrics should (1) focus on risk management rather than compliance; (2) have a line-of-\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)            5\n\x0csight to business and program goals rather than IT operations; and (3) assess both\nstatus and progress.\n\nSSA began developing a more comprehensive information security metrics program.\nOne of the key steps taken by SSA to assist with developing the Agency\xe2\x80\x99s security\nmetrics program was OCIO\xe2\x80\x99s Office of Information Technology and Security Policy\n(OITSP) awarding a task order to Booz Allen Hamilton (BAH) in September 2008. 17\nBAH\xe2\x80\x99s objective was to analyze and define IT security measures and metrics to track\nthe impact of risk management goals through identifying practices that evaluate security\ncontrol implementation across the SSA enterprise. BAH was to develop a handbook\nrecommending program and system-level metrics for SSA that would establish a direct\nrelationship between the corresponding program activities and SSA\xe2\x80\x99s mission.\n\nIn April 2009, BAH provided the Agency with an initial draft handbook. This document\nanalyzed SSA\xe2\x80\x99s current IT security metrics collection processes and summarized the\nactions needed for mature metrics development including steps needed to create and\nmaintain an IT security performance measurement program. SSA expressed concerns\nwith the initial handbook because BAH included highly sensitive information that\ndescribed the Agency\xe2\x80\x99s current collecting and reporting processes for its security\nmetrics that feed into four quarterly reports. 18 SSA requested BAH remove this\ninformation from the handbook to protect the privacy of the Agency\xe2\x80\x99s data collecting and\nreporting processes.\n\nIn May 2009, BAH submitted a revised draft handbook. This handbook provided the\ninformation security management and system owners with the necessary guidance and\nprocedures for collecting, storing, analyzing, and reporting on security performance\nmetrics. Both draft handbooks outlined steps to implement a metrics program as\ndefined by the NIST SP 800-55 Revision 1, Security Metrics Guide for Information\nTechnology Systems. The Agency was generally satisfied with BAH\xe2\x80\x99s revised draft\nhandbook. In July 2009, the OCIO provided the BAH draft handbook to other Agency\ncomponents for comment. SSA plans to implement the BAH final handbook in January\n2010. The Agency stated that the security performance metrics handbook will serve as\nthe OCIO\xe2\x80\x99s synthesis of the high level requirements from NIST and OMB for the\nAgency. Given the existing disparate and federated management structure of SSA, the\nsecurity performance metrics handbook is not intended to provide specific granular and\nauthoritative metrics for the Agency. SSA intentionally designed the security\nperformance metrics handbook to provide examples of best practices for component\n\n17\n     The BAH task order was $107,000 under contract #SS-00-08-40029 Task # 4.\n18\n  SSA Security Metrics Handbook, Version 1.1, April 6, 2009, section 3, p. 9. OITSP currently collects\nsecurity metrics from a variety of sources to prepare the four quarterly reports. These sources include\nFISMA Information Security, POA&Ms, Senior Agency Officials for Privacy, and OIG reports. Additionally,\nOITSP provides input to SSA\xe2\x80\x99s e-Government IT Security Scorecard and completes the data collection\nand updates on a quarterly basis as required by OMB guidelines. These quarterly activities help prepare\nthe program office for the larger Agency annual report which feeds directly into SSA\xe2\x80\x99s IT Security report\ncard grade for the year. This grade, provided by Congress, evaluates the implementation of FISMA\nrequirements.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                           6\n\x0creconciliation and application. SSA needs to ensure that guidance and direction is\nsufficient to provide for the development and implementation of a sound information\nsecurity performance metrics program.\n\nFurther Development of SSA\xe2\x80\x99s Information Security Metrics Program\n\nAn information security measures development process consists of two major activities:\n\n\xe2\x80\xa2     Identification and definition of the current information security program.\n\n\xe2\x80\xa2     Development and selection of specific measures to gauge the implementation,\n      effectiveness, efficiency, and impact of the security controls. 19\n\nWhile we acknowledge the Agency\xe2\x80\x99s proactive efforts by having BAH develop the\nperformance metrics handbook, we encourage SSA to ensure that the above activities\nare an integral part of its process for developing IT security performance metrics.\n\nSSA acknowledged the need and has taken steps to develop a more comprehensive\ninformation security metrics performance program. However, based on our analysis, we\nidentified some areas the Agency should be aware of as it moves forward in developing\na more comprehensive security metrics program.\n\nNIST recommended specific steps in the measure development process. 20 The\nmeasure development process involves the following phases.\n\n       \xe2\x80\xa2   Stakeholder interest identification.\n       \xe2\x80\xa2   Goals and objective definition.\n       \xe2\x80\xa2   Information security policy, guidelines, and procedures review.\n       \xe2\x80\xa2   Information security program implementation review.\n       \xe2\x80\xa2   Measures development and selection.\n\nSSA identified relevant stakeholders for the information security performance metrics\nprogram. However, NIST states an organization should identify and document system\nsecurity performance goals and objectives. 21 SSA provided the Agency\xe2\x80\x99s strategic\ngoals and objectives in both BAH drafts; however, the information security goals and\nobjectives were missing in the latest version of the BAH draft handbook. Information\nsecurity performance goals state the desired results of an information program\n19\n     NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Sec. 5, p. 25.\n20\n  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Sec. 5, p. 25.\nThe measures development process identifies relevant stakeholders and their interests in information\nsecurity measurement.\n21\n  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Sec. 5, p. 26.\nThe measures development process identifies and documents information system security\nperformance goals and objectives that would guide security control implementation for the information\nsecurity program of a specific information system.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                             7\n\x0cimplementation, such as, \xe2\x80\x9cAll employees should receive adequate information security\nawareness training.\xe2\x80\x9d Information security performance objectives enable\naccomplishment of goals by identifying practices defined by information security policies\nand procedures that direct consistent implementation of security controls across the\norganization. NIST guidance provides an example of how an agency would link its\nsecurity performance goal, \xe2\x80\x9cAll new employees receive new employee training\xe2\x80\x9d to the\nsupporting objectives. The example shows that employee training objectives include\nproviding a summary of the Rules of Behavior as well as a summary of, and a reference\nto, the organization\xe2\x80\x99s information security policies and procedures. In reviewing the\nBAH draft handbook, the information security goals were identified; however, the\nspecific corresponding objectives and means of accomplishing the information security\ngoals were not yet fully defined.\n\nIn the measures development process, an organization should establish policies,\nguidelines, and procedures that focus on organization-specific information security\npractices. SSA is in the process of establishing the policies, guidelines, and procedures\nfor its information security metrics program with an anticipated completion date of\nJanuary 2010. These policies, guidelines, and procedures should describe how\nimplementing security controls, requirements, and techniques lead to accomplishing\ninformation security performance goals and objectives.\n\nFurther, SSA has not yet fully addressed the information security program\nimplementation review and measures development and selection steps. The\ninformation security program implementation review allows an organization to identify\nany existing measures and data repositories that can be used to derive measures data\nfor review. In the measures development and selection stage, measures dealing with\noverall information security program performance should:\n\n\xe2\x80\xa2   Be mapped to information security goals and objectives that may encompass\n    performance of information security across the spectrum of security controls.\n\xe2\x80\xa2   Use data describing the information security program performance to generate\n    required measures.\n\nWe believe SSA should define the goals and objectives for the information security\nperformance metrics program according to NIST guidance. The Agency should also\naddress the remaining three steps of the measures development process as outlined in\nthe NIST guidance.\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)            8\n\x0cMoreover, we recently issued an audit report that identified weaknesses that could\nprevent an information security performance metrics program from being successful. 22\nThis report found that SSA\xe2\x80\x99s OCIO did not have sufficient delegated authority or\nresources to carry out its security monitoring and management responsibilities. SSA\nshould consider these issues while developing and implementing its information security\nperformance metrics program and address them, as appropriate.\n\nMeasuring performance provides managers crucial information on which to base their\norganizational and management decisions. The development and implementation of a\nsound information security performance metrics program will help ensure SSA moves\ntoward a reliable, resilient, and trustworthy digital infrastructure for the future. 23\n\nSSA\xe2\x80\x99s information security performance metrics program should focus on measuring the\nimpact and effectiveness of the Agency\xe2\x80\x99s security activities and not merely compliance\nwith laws and regulations. Otherwise, SSA will not be able to determine whether its\ninformation security program is truly meeting its goals and protecting the Agency\xe2\x80\x99s\nsensitive information.\n\n\n\n\n22\n  OIG, Follow up: Social Security Administration\xe2\x80\x99s Computer Security Program Compliance\n(A-14-09-19048), issued September 24, 2009.\n23\n Melissa Hathaway, former Cybersecurity Chief at the National Security Council, Cyberspace Policy\nReview, May 2009.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                        9\n\x0c                                        Matters for Consideration\nSSA has one of the largest data processing centers with one of the largest collections of\nsensitive personal data. The Agency\xe2\x80\x99s computer system contains demographic,\nearnings, and/or benefit information for almost every American. Moreover, SSA\nprocesses over 75 million business transactions per day and stores almost 250 million\nmedical records, while adding 2 million more each week. Its databases contain\nsensitive personally identifiable information, such as names, addresses, dates of birth,\nmothers\xe2\x80\x99 maiden names, earnings, and Social Security numbers. In addition, the\nAgency exchanges over 1 billion data files annually with Government and business\nentities for benefit management and homeland security purposes.\n\nGiven the characteristics and volume of data maintained and processed at SSA, it is\nimperative that SSA bolster its existing information security program by establishing\nmetrics to reflect how well the program is achieving its goal of information protection.\nThe need for making information security and its performance metrics a priority is\nsupported by a recent Presidential report, Cyberspace Policy Review: Assuring a\nTrusted and Resilient Information and Communications Infrastructure. In this report, the\nSpecial Advisor to the President on Cybersecurity recommended designating\ncybersecurity as one of the President\xe2\x80\x99s key management priorities and establishing\nperformance metrics. 24 The report provides a formal cybersecurity program\nassessment framework where \xe2\x80\x9cDepartments and agencies would define their specific\nprogram\xe2\x80\x99s purpose and goal as well as identify metrics to evaluate whether the goals\nare achieved.\xe2\x80\x9d\n\nThe attacks on networks in the United States and South Korea are the latest reminder\nthat cybersecurity remains a pressing concern in the 21st century. As evidenced by a\nrecent report, a series of cyber attacks on computer networks in South Korea and the\nUnited States was apparently the work of North Korean hackers. While SSA may not\nhave been a direct target of the North Korean attacks, these attacks demonstrate the\nneed to continuously monitor information systems and the security measures employed\nto protect them.\n\nPending legislation introduced by Senator Tom Carper 25 further emphasizes\nperformance metrics as a requirement that involves continuous testing and evaluation of\ninformation security controls and techniques to ensure they are effectively implemented.\n\n24\n   Melissa Hathaway, former Cybersecurity Chief at the National Security Council, Cyberspace Policy\nReview, May 2009. The President directed a 60-day, comprehensive, \xe2\x80\x9cclean-slate\xe2\x80\x9d review to assess U.S.\npolicies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards\nregarding the security of and operations in cyberspace. It encompasses the full range of threat reduction,\nvulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery\npolicies and activities, including computer network operations, information assurance, law enforcement,\ndiplomacy, military, and intelligence missions as they relate to the security and stability of the global\ninformation and communications infrastructure.\n25\n     S.921, United States Information and Communications Enhancement Act of 2009, April 28, 2009.\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)                           10\n\x0cIt is apparent that the concerns of the Administration and Congress are well-justified.\nTo that end, their recommendations, as well as those of the ISPAB for establishing\neffective information security performance metrics, offer a viable approach to track the\nsuccess of an information security program.\n\nWe understand the Agency is developing an information security performance metric\nprogram. We acknowledge and applaud SSA for being proactive in developing this\nprogram despite it not being required or mandated at this time. We encourage the\nAgency to continue these efforts and take the necessary steps to fully develop its\ninformation security performance metrics program.\n\nBased on the present state of the Agency\xe2\x80\x99s metrics program, we are providing the\nfollowing comments for SSA\xe2\x80\x99s consideration. These comments should help improve the\nAgency\xe2\x80\x99s program and ensure its success. To assist SSA in addressing applicable\nFederal guidance for developing and implementing an Agency-wide security metrics\nprogram, we believe SSA should consider:\n\n    \xe2\x80\xa2   Ensuring the information security metrics performance program addresses the\n        key measure development steps recommended by NIST.\n    \xe2\x80\xa2   Implementing an Agency-wide information security performance metrics program\n        in accordance with applicable Federal guidance. These measures should be\n        measurable, repeatable, consistent, and actionable.\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)               11\n\x0c                                           Appendices\nAPPENDIX A - Acronyms\nAPPENDIX B - Efficacy of Federal Security Performance Metrics Memorandum\nAPPENDIX C - Scope and Methodology\nAPPENDIX D - OIG Contacts and Staff Acknowledgments\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)\n\x0c                                                                         Appendix A\n\nAcronyms\n\n    BAH                Booz Allen Hamilton\n\n    CIO                Chief Information Officer\n\n    FDCC               Federal Desktop Core Configuration\n\n    FISMA              Federal Information Security Management Act\n\n    FY                 Fiscal Year\n\n    ICE                Information and Communication Enhancement\n\n    ISPAB              Information Security and Privacy Advisory Board\n\n    IT                 Information Technology\n\n    NIST               National Institute of Standards and Technology\n\n    OCIO               Office of the Chief Information Officer\n\n    OIG                Office of the Inspector General\n\n    OITSP              Office of Information Technology and Security Policy\n\n    OMB                Office of Management and Budget\n\n    POA&M              Plan of Action and Milestones\n\n    Pub. L. No.        Public Law Number\n\n    SP                 Special Publication\n\n    SSA                Social Security Administration\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)\n\x0c                                                                         Appendix B\n\nEfficacy of Federal Security Performance\nMetrics Memorandum\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)\n\x0c                                      SOCIAL SECURITY\nMEMORANDUM\n\nDate:   October 20, 2008                                                       Refer To:\n\nTo:     See Below\n\nFrom:   Assistant Inspector General\n         for Audit\n\nSubject: Efficacy of Federal Security Performance Metrics\n\n\n\n        The Government information security community has focused increased attention on\n        information security performance metrics. In July 2008, the Information Security and\n        Privacy Advisory Board (ISPAB) issued a memorandum to the Office of Management\n        and Budget (OMB) on the efficacy of Government security performance metrics and the\n        extent to which such metrics can serve as indicators of security progress and\n        performance (see Attachment A). Specifically, ISPAB questions whether metrics\n        developed by OMB under the Federal Information Security Management Act of 2002\n        (FISMA) are focused in a way that improves agency understanding and performance of\n        Government security. Almost concurrent with ISPAB\xe2\x80\x99s memorandum to OMB was the\n        National Institute of Standards and Technology\xe2\x80\x99s issuance of the Performance\n        Measurement Guide for Information Security (Special Publication 800-55 Revision 1).\n        This guidance is recognized as a means to assist in the development, selection and\n        implementation of measures to indicate the effectiveness of information security\n        controls.\n\n        The ISPAB found that the FISMA metrics program did enhance focus on agency\n        security activities. However, this process has become overly compliance-driven, with\n        excessive attention to fulfilling Certification & Accreditation and other reporting\n        processes at the expense of implementing, measuring, and improving true security\n        performance. According to ISPAB, agencies often write or contract for security\n        documentation after the fact, rather than embedding and documenting security during\n        development to ensure security is built into programs and systems up front.\n\n\n\n\n        Implementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)       B-1\n\x0cPage 2 \xe2\x80\x93 ISPAB\n\nISPAB recommended that FISMA, and related policy and guidance, be revised to\nestablish agency and contract incentives to measure and improve security. Outcome-\nbased metrics would make agency security performance more transparent and point to\na concrete set of actions related to improvements, as well as increase underlying\ntrustworthiness of information technology systems. These metrics should (1) focus on\nrisk management, rather than compliance; (2) have a line of sight to business and\nprogram goals rather than information technology operations; and (3) assess both\nstatus and progress.\n\nIn light of the increased focus on information security performance metrics and the\nGovernment Accountability Office\xe2\x80\x99s current audit of SSA\xe2\x80\x99s information security metrics,\nwe are providing copies of the ISPAB memorandum (Attachment A) and the National\nInstitute of Standards and Technology publication (Attachment B\nhttp://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf). To help us\nunderstand the Agency\xe2\x80\x99s posture for responding to these items, we are requesting that\nyou provide a written response indicating whether SSA has already taken or plans to\ntake action to address the concerns identified in the ISPAB memorandum. We would\nappreciate a response by November 7, 2008. If you have any questions or concerns\nplease contact me at 410-965-9700.\n\n\n                                                  /s/\n                                                  Steven L. Schaeffer\n\nAddressees:\nDeputy Commissioner for Budget, Finance and Management\nChief Information Officer\nDeputy Commissioner for Systems\n\nAttachments\n\ncc:\nP. O\xe2\x80\x99Carroll\nD. Foster\nJ. Kissko\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)         B-2\n\x0c                                                                               Attachment A\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)            B-3\n\x0cImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)   B-4\n\x0cImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)   B-5\n\x0cImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)   B-6\n\x0c                                                                                   Appendix C\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xef\x82\xa7   Reviewed applicable Federal laws, directives, and other guidance, as well as\n    industry standards and best practices.\n\n\xef\x82\xa7   Obtained and reviewed the Social Security Administration\xe2\x80\x99s (SSA) Information\n    Security Performance Metrics program.\n\n\xef\x82\xa7   Reviewed Federal Information Security Management Act (FISMA) Fiscal Year 2008\n    guidance.\n\n\xef\x82\xa7   Reviewed the Office of the Inspector General\xe2\x80\x99s (OIG) FY 2008 FISMA report and\n    other relevant OIG reports.\n\n\xef\x82\xa7   Interviewed personnel from SSA\xe2\x80\x99s Office of the Chief Information Officer.\n\n\xef\x82\xa7   Reviewed documentation from other Federal agencies\xe2\x80\x99 information security\n    performance metrics program.\n\nThe results of our review are based on the above information provided by SSA. We\nperformed our review during July and August 2009 in Baltimore, Maryland. The entities\nreviewed were the Offices of the Chief Information Officer and Deputy Commissioner for\nSystems. We conducted our review in accordance with the President\xe2\x80\x99s Council on\nIntegrity and Efficiency\xe2\x80\x99s 1 Quality Standards for Inspections.\n\n\n\n\n1\n  In January 2009, the President\xe2\x80\x99s Council on Integrity and Efficiency was superseded by the Council of\nthe Inspectors General on Integrity and Efficiency, Inspector General Reform Act of 2008, Pub. L. No.\n110-409 \xc2\xa7 7, 5 U.S.C. App. 3 \xc2\xa7 11.\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)\n\x0c                                                                         Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n       Brian Karpe, Acting Division Director, Information Technology Audit Division\n\n       Phil Rogofsky, Audit Manager\n\nAcknowledgments\nIn addition to those named above:\n\n       Mary Ellen Moyer, Audit Manager\n\n       Tina Nevels, Auditor\n\n       Cheryl Dailey, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-10-11002.\n\n\n\n\nImplementation of SSA\xe2\x80\x99s Security Performance Metrics Program (A-14-10-11002)\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"